Monthly Archives: February 2016

EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield

On Tuesday 2nd February an agreement was reached after several months of negotiations between Europe and the USA. This has come about following the Schrems case and the European Court of Justice ruling on 6th of October 2015 which declared the old so called ‘Safe Harbour’ framework invalid. The Safe Harbour expiry deadline was 31st January.

The EU-US Privacy Shield

Some of the key elements of the new framework are listed below:

Strong obligations on companies handling Europeans’ personal data and robust enforcement: U.S. companies wishing to import personal data from Europe will need to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The Department of Commerce will monitor that companies publish their commitments, which makes them enforceable under U.S. law by the US. Federal Trade Commission. In addition, any company handling human resources data from Europe has to commit to comply with decisions by European DPAs.

Clear safeguards and transparency obligations on U.S. government access: For the first time, the US has given the EU written assurances that the access of public authorities for law enforcement and national security will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. has ruled out indiscriminate mass surveillance on the personal data transferred to the US under the new arrangement. To regularly monitor the functioning of the arrangement there will be an annual joint review. The European Commission and the U.S. Department of Commerce will conduct the review and invite national intelligence experts from the U.S. and European Data Protection Authorities to it.

Effective protection of EU individuals’ rights with several redress possibilities: Any individual who considers that their data has been misused under the new arrangement will have several redress possibilities. Companies have deadlines to reply to complaints. European DPAs can refer complaints to the Department of Commerce and the Federal Trade Commission. In addition, Alternative Dispute resolution will be free of charge. For complaints on possible access by national intelligence authorities, a new Ombudsperson will be created.

EU-US Privacy Shield Next Steps

Vice-President Ansip and Commissioner Jourová have been mandated to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the EU Member States. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and new Ombudsperson.

Charities are having a tough time with data protection at the moment. The Daily Mail is pursuing them for their donor practices, and even when their behaviour is compliant, the reputational impact is enormously damaging to all charities, not just the few cited in the press.

Now the Altzheimer’s Society has fallen foul of the ICO because its volunteers were not trained in data protection, and were following inadequate processes, particularly in relation to sensitive personal data – for example using personal email addresses for sharing and receiving data about users of the charity; storing unencrypted data on their home computers; and not keeping paper records locked away securely.

This case does illustrate the need for charities to provide data protection training, not only among its own employees, but also to its volunteers. Volunteers give selflessly of their time and energy, but even with the best intentions in the world, they cannot be expected to know the nuances of what is and is not acceptable in terms of data compliance and security. Where sensitive personal data is concerned, this becomes a significant failing that will rebound on the charity and generate a great deal of negative attention. At the same time, lack of procedure and training creates an enormous risk of potential damage and distress to the very vulnerable individuals the charity is seeking to help.

Training volunteers as well as staff in data protection is essential to ensure security is maintained, that users are protected, and to provide reassurance that the charity is adopting a robust approach to data protection – particularly important to the Trustees as they are accountable and liable for breaches.

In addition, the charity’s own policies and procedures should be distributed and explained to all volunteers without exception. And finally, checks should be carried out on an ongoing basis to ensure that volunteers are adhering to the charity’s documented policies and procedures.

Data Compliant is pleased to offer face to face training, and / or online data protection training – in each case, covering the 8 principles of the Data Protection Act, Privacy and Electronic Communication Regulation, data security and information on the upcoming European General Data Protection Regulation (GDPR).

Data Compliant training courses are written in clear, easy language. The online training includes relevant and engaging gamification, and is ideal for employees, volunteers and Trustees. If you’d like more information, please email dc@datacompliant.co.uk or call 01787 277742.